The Director of the Office of Civil Rights (“OCR”), Leon Rodriquez, has made clear that he “absolutely” plans to continue the office’s ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties and other enforcement actions. He has emphasized that privacy and security are issues that “really matter to me personally and really matter to the secretary of HHS”. “So we’re going to be serious about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy.”
At the October 2, 2012 HCCA conference in Baltimore, KPMG announced that $10,000,000 has been budgeted each year for 2013 and 2014 to conduct additional HIPAA/HITECH audits. The findings of the HIPAA/HITECH compliance audits conducted by KPMG in 2012 have revealed significant lack of compliance with the Privacy and Security Rules. The same Audit Protocol jointly developed by OCR and KPMG will be used for the new audits.
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Conference in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), Mr. Rodriguez highlighted OCR’s new audit program which he expects will become “a permanent and robust program.” According to Mr. Rodriguez, together with the HITECH breach notification requirements, the audits help OCR identify significant vulnerabilities affecting both electronic and hard copy protected health information (“PHI”). Linda Sanches, a senior advisor at OCR responsible for the audit program further advised covered entities and business associates to review and assess the actions they have taken to comply with HIPAA, and to “find all [their] PHI,” taking into consideration the fact that PHI is now contained in new types of equipment that did not exist ten years ago. OCR is currently in the process of determining what the business associate audit program will look like.
What have the audits discovered so far?
• 65 % of the violations are in the security area
• 42.70% of the security violations involve administrative safeguards
• 16.70% involve physical safeguards
• Policies and procedures exist but are outdated or not implemented
• HIPAA compliance programs were not a priority
• Larger institutions continue to have security problems
• Entities are not conducting regular risk assessments
• Entities are not managing third party risks
What does this mean for you as a covered entity?
1. Your odds of being audited have now increased
2. OCR is under Congressional pressure to enforce HIPAA/HITECH
3. You need to have current policies and procedures that are implemented
4. You need to have updated risk assessments
• You need to be aware of the findings and actions taken by OCR in its recent enforcement actions
• You must have an up-to-date risk assessment of your compliance with the Privacy and Security Rules. If you had a breach or security incident, an additional risk assessment has to be performed specifically addressing those factors that resulted in breach or violation
How you can prepare for an audit:
• Consult with your attorney and IT consultant
• Conduct robust assessments with annual or bi-annual reassessments for compliance
• Map/flow PHI movement within your organization, as well as flows to/from third parties
• Perform data discovery to find all of your PHI
• Establish effective technical safeguards over PHI (encryption, access management, restriction for required use only